Posted
by
timothyon Friday November 09, 2012 @09:52PM
from the it's-like-voltron dept.

An anonymous reader writes "Now that Windows 8 is on sale and has already been purchased by millions, expect very close scrutiny of Microsoft's latest and greatest security features. 0-day vulnerabilities are already being claimed, but what about the malware that's already out there? When tested against the top threats, Windows 8 is immune to 85 percent of them, and gets infected by 15 percent, according to tests run by BitDefender."

They neglected to mention how many of the 15% that got through required user stupidity to infect the system. It will be interesting to see how long it takes for the first Metro based malware to appear, and how long before some of it sneaks onto Microsoft's marketplace.

It's not due to "WSE". Windows 8 is highly incompatible with previous versions (google for all the stuff that wont run under W8 anymore).In most cases the fixes required are very simple and I'm sure malware developers will be catching up fast.

Any software relying on kernel level integration that changed won't work.. IIRC this includes some of the network stack this time around, as well as some of the filesystem interfaces. There's very little that won't work... the less advanced the software the more likely it works from all the way back in early win32 days (3.x)... that said, a lot of that old software needs to install in an unprotected directory to work, not program files.

The reason being it is an AV maker releasing it. They have reason to want to say "Oh the built in AV scanner sucks, you should buy ours!" They may be stacking the results.

AV Comparatives puts MS Security Essentials at about 95% in their latest test, not 85%. Bitdefender is 99.2%.

However one reason for that is false positive rate. MS is willing to trade off some detection to keep it low, because users get pissed off and want to get rid of scanners with lots of false positives. MSE had 0 false positives, BitDefender had 10.

None of this is to say getting a better virus scanner isn't a good idea, just take anything from a company selling a product in an area with a grain of salt. AV Comparatives seems to indicate that wile MSE is certainly not one of the best virus scanners, it isn't bad.

It depends on your sample size and method. BitDefender took the top 385 malware recent, and came up with the 15% figure. I'm betting AV Comparatives took a much different, likely broader, sample. Makes sense that as you take a larger sample of less "popular" (which is more or less by necessity less infectious) and/or older (which is more likely to spread using now-fixed vectors) malware, the success rate will grow higher. I'd say the BitDefender method is more useful, as it selects the malware that you are

I would have gone with Panama Disease [wikipedia.org]In the '50s, it wiped out the global monoculture that was banana farming.

The banana industry switched to a new monoculture, which they thought was immune to Panama Disease.But the new banana is only immune to a specific strain, which is why Panama Disease is once again slowly spreading across the global.

Why, not a single malware application can be installed on a banana! They too are immune.
Therefore bananas are now the most secure OS

No that is not true the best is Apple. The problem you do have is deciding which version you want such as "Granny Smith", "Red Delicious", etc. However unlike the banana which can go brown fairly quickly compared to the Apple you do have to watch out for worms.:)

Really? I've seen some pretty nasty looking, mold-infested bananas before. Hell, I can't even finish a bunch before at least one or two get soft and gross. I've been running Linux nearly exclusively for five years and it has never had the same problem, nor even one virus.

Reacting is always easy, that's why malware is so efficient. There are AV kits out there that detect 98+ percent of the current malware. Problem is not the malware we know about already, the problem is new malware that infects before patches can be applied and AV signatures can be updated.

OF COURSE a new system is more resilient against current malware. By the very nature that a lot of exploits simply don't work anymore because, well, different codebase, different handling of various things malware relies on. By that logic, MacOS is even superior to Win8 because because zero malware for Win7 can infect MacOS.

The more interesting question is why 15% (one in seven) malware threats still work on Win8.

That's interesting, the original security press release is quite negative - "Newly launched Window 8 is prone to infection by some 15 per cent of the 100 malware families most used by cyber criminals this year, even with Windows Defender activated, Bitdefender testing revealed." but somehow that's become a positive "Windows 8 protected from 85% of malware detected in the past six months, right out the box"

The original point is that Windows Defender can't detect 15% of this years most popular malware, that's not exactly great for an AV program, or maybe Bitdefender has just written a shill piece with a hand picked sample of unusual malware that trip most AV programs up to flog their own AV solutions?

At any rate the figures useless because they didn't compare it to a fully patched Windows 7 system or alternative AV programs, why did this even make the homepage?

Bitdefender sells security products. Can we get a number from somebody a little less biased, or perhaps somebody biased against microsoft? How about a consulting firm with a good reputation the prefers Linux, but grudgingly supports MS because they have to? Anyway, Bitdefender has an incentive for you to think Win8 is insecure. How are they defining malware? Stuff that says, "to install, please enter admin password"? If 15% of the "malware" comes with those instructions, it'll infect anything.

so what do the numbers mean? that there are a bunch of 0-days out there that they know but haven't bothered to report or fix in the last 6 months? so the stuff silently installs and does naughty things while you surf your daily dose of naked chicks? or if you download the exe, run it as admin and see what happens, then 15% of the time it works?

I keep wondering. Software keeps getting better because computers get faster and labor gets cheaper. If you throw enough resources at it it gets done. But most of us entry level techs make our daily bread fixin' up this stuff. It's another symptom of increased productivity. Things get better and better so there's less work to do. But if there's less work there's less jobs, and our whole society is built on Jobs. People can't stand the thought of someone getting paid and not working for it. Jesus, what would

Interesting analogy. To be safe, I will continue to refrain from having sex with whores, other dudes (especially the gays), and IV drugs users, and I will continue to avoid MS products as much as possible. Here's to Linux and safe, heterosexual sex!*

* I do not believe or assert that using Linux is anything like having sex, nor do I live in my mom's basement

The most current version of the OS still is vulnerable to 15% of known threats? That's a pretty damning track record if you ask me.It means that a billion dollar corporation that put security high on its agenda for several years now still can't create something that is secure against well-known attacks, and can't keep up with patches and let's not even talk about pro-active security.

True, there is no such thing as 100% security. Even OpenBSD has had its 0-days. But we're not talking about 0-days here, we are talking about known threats that have been out there for months.

For my part, it's not hate. It's simply two decades of experience showing that every other windows release sucks. Since Vista sucked and 7 was halfway decent, 8 is going to suck. Microsoft isn't one to break with long traditions, is it?

So basically, I don't hate it, I just don't care. My point was about how a specific perspective changes the message.

Windows 8 is not "immune" to 85% of malware any more than Linux is... The malware was simply never written for windows 8 and is subsequently incompatible with it. Once malware is specifically written to target windows 8 the situation will change.Windows 7 also suffered very low malware infection rates when it was first released, it just took a little while for new malware to be written and for it to propagate.

Linux is not 100% secure. Linux is very secure, and is certainly more secure than Microsoft's OSes, but vulnerabilities are discovered all of the time. The biggest distinction is that since Linux is openly developed with the potential for anyone to contribute and for everyone to see, there aren't large, untested milestone releases without public eyes on them like commercial OSes. By the time that the experimental version becomes the release version it's already been vetted. Microsoft doesn't have the same quantity of testing because while there is a beta program, it's not designed to be thoroughly examined.

In the last couple versions of Windows, MS has been trying to implement something like the old (pre SELinux) *nix security model. This after having removed it. Why? Because they had removed the security, for good reason, and the *nix model is a good one.
In the old days, there were network operating systems. Many users had terminals to one computer, which protected one user's work from other users mistakes or malice. It was designed for security and it was Unix. It was also huge and EXPENSIVE.
One day a guy wanted an OS to fit on a 512k floppy disk and run with 128k RAM so people could afford computers at home. Single home computers, not corporate networks. To make Disk Operating System fit on a floppy, he removed stuff DOS didn't need, like security. (No network meant few threats.) A GUI was added. Backwards compatibilty was maintained with the "no security needed" DOS. Then the internet happened, and Bill crapped his pants. Since then, MS has been trying to design security back in, while maintaining backward compatibility. DOS programs still run on Vista, without running into problems with new security added since Disk Operating System.
Linux has always been a network OS, never a disk OS, and has therefore never removed the security model.

The overwhelming number of Linux servers worldwide are behind firewalls and will rarely ever attempt to reach out blindly to the internet. There aren't nearly as many attack vectors to exploit. It's far easier to find some bad PHP code to exploit, or an unpatched version of Apache than it is to attack it using traditional methods that might work on a user machine.

Which versions of Linux? Are you saying on binary can attack all of them? No. You are not. Windows has decades of backwards compatibility to deal with. Don't try and compare phones with desktops. Callin bs on that bs out of the gate.

It's not more secure because it's more obscure, it's more secure because it's better.

Yes and no. What versions of Linux are those machines running? What versions of Apache, MySQL, PHP are they running? Very few Linux installs have common attack vectors.

- The vast majority of common attack vectors on Windows require user interaction. The vast majority of your Linux installs have no users.- The next big group of common attack vectors on Windows require popular end user software (Acrobat, flash, IE, etc). The vast majority of Linux installs don't have those.

There are many documented cases of attacks on Apache, but again there are many different versions of Apache in common use, and MANY of your Linux installs lack Apache anyway.

Linux benefits greatly from obscurity since there's no extremely popular attack vectors that can be leveraged on an insanely large number of systems, and in those cases where such vectors exist they are often exploited.

And typically takes requests for files and serves them. That has to be done fast, but it's not really that hard. Web servers and routers aren't quite up to the same par as a general-purpose desktop machine designed for ordinary people who don't even know the difference between a virus and a trojan.

Realistically, most security is at the application level these days. You don't need root access to steal peoples' information. Just look at how much havoc you can cause by hitting a web browser with one clever block of JavaScript.

I don't know if you've heard, but Linux/Android PC's are moving 1.5 million units per day, with a half-billion unit installed base. At the current rate of growth Linux PCs will exceed Earth's human population in Q3 2014.

Sorry, that sounded silly back in 1996 and it's fucking stupid now. Your TV probably runs linux and connects to the internet these days, most likely via a linux wifi access point or router. The "market share" is enormous.

Ah yes. But which Linux? There is, what, 20+ major distributions and dozens or hundreds of minor ones? Even calling all of them a single OS is almost a stretch, given that some of them have almost nothing in common with each other. That's not one target, it's a few dozen. And it's hacked all the time, just rarely using automated malware tools (because, again, those aren't terribly effective against heavily fragmented targets).

Actually, when it comes to out-of-the-box security as well as the possibilities offered to knowledgeable admins, Linux isn't really far away from Windows. Both have, from the point of view of a security expert, horrible out-of-the-box security and can be sealed tightly by the hands of good admins.

The main reason why there is less malware for Linux is simply that malware is a business: It's the same reason why there is also less other commercial software for Linux.

What red flag? You mean the "Do you really want to do this? Yes/No" message? You know, the one that everyone is going to look at and say, "well fucking duh, yes I want to do this, or I wouldn't have told you to do it anyway," just like in the old DOS/Win9x days of "Yes/No/Retry/Fail"? Why no, Windows, I actually want the process to fail, and I don't actually want to install that program...

Windows has Windows Resource Protection [wikipedia.org] (WRP). Unlike Linux/Unix, even if you run as an administrator (equivalent to root) you *do not* have permission to change operating system files. Only the TrustedInstaller account can change those files. Furthermore, the files are designated system integrity level raising another barrier. Even if a malicious process succeeds in fooling a user into elevating to high integrity level with administrator privileges, it cannot change those files. WRP also performs integrity

Linux is still used predominantly by clued users and/or administrators who (usually) know what they're doing. The amount of clueless computer users who also have the root password is fairly low. And the average user with a clue doesn't click everything sent to him, the average admin cannot because he can't check his mail on the server (at least if security did their job).

"openly developed with the potential for anyone to contribute and for everyone to see"

I am continually amazed that people think just because they have the source code to an OS they can just scan the code and locate security holes. The low hanging fruit is long gone in today's popular OS's. OS security holes and weaknesses are found by combining and testing multiple executable decision trees with varying environmental factors and then analyzing the captured results which usually includes sorting through binary output, assembler output, and real time memory mapping looking for anomalies. Finding OS level security holes also requires an in-depth knowledge of the various CPU processor instruction sets, memory allocation models, and memory manipulation. To many developers equate OS development with Application development when in reality they are almost entirely different animals requiring radically differing skill sets.

It's amazing that some people insist that we can't do something which we do all the time. Look at the CVEs man, we find and fix weaknesses all the time.
If you did look at the CVEs, you'd find my name. That's pretty solid proof that you're mistaken - I can find vulnerabilities because I do find vulnerabilities.
When it comes to Windows, I don't know Windows. I haven't used Windows in fifteen years. When people ask me to work on their computer, I turn away all Windows work except "I forgot my password

All bugs are found by *someone* doing *something* (obviously). That something is either running some software, or developing some software. The big difference between the world of Linux/FOSS and Windows/proprietary software is: is the dirty laundry aired in public, or in private?

In the world of Linux, if a developer (either application or kernel) discovers a bug, it ends up on publicly-accessible mailing lists etc. If a Windows developer finds a bug, the only people who w

You're comparing vulnerabilities found by external forces with totally no insight into the inner workings of an OS to all the vulnerabilities that are found by both external forces and people with intimate knowledge and years of experience in good coding for said system. For a good comparison, you would need to open source Windows and compare the leaks found both internally and externally at Microsoft and I'm not even talking about the methodology of your picking of statist

really? do you think that malware written to take advantage of exploits in the windows OS won't work on linux? thanks for that revelation. linux wins again.

You never know, Perhaps if WINE is running a Linux host could be at risk... (Not that I know of any viruses that could infect a Linux computer running WINE, except for one case where user intervention is required, but there is a first time for everything.)

I had some guy that downloaded something that pretended to be a dodgy PDF encyption cracking tool but was really a virus, and he infected Win4lin with it. Hilarious, the thing tried to fuck with bits of the system that did not exist. It took seconds to fix since all I had to do was rename an older Win4lin image on that PC. I think that was in 2004. I've seen nothing like that since.

I must nominate flash. Java next.
Avoid those and you have a better chance.
Add common sense and your odds are improved. Toss in firefox
with noscript, and adblock, and you should
be in good shape. At that point, it will not really
matter if you get rooted, you should be able to re-install/recover your non-NONFREE OS quickly.
Basically you really only need to worry about DPI
and BIOS/UEFI based rootkits/backdoors.
If you are still concerned, then pull the plug
and get off the net.

Oh, you so smart! OF COURSE malware designed for Windows won't run on non-Windows! That's like copying bash from your Linux-installation to your Windows-installation and complaining how F/OSS software sucks because it doesn't run.

I actually have tried that. A lot of the malware that runs fine on Windows crashed or just didn't work properly under Wine. Does that mean Wine is broken, or that the devs haven't broken it enough yet? I can't decide!

The story is about existing malware not new malware. Win 8 for the majority of software is 100% compatible with win 7, just win 8 includes defender to catch a lot of it out of the box. It is a good move, I just hope they keep going with it and get the out of the box detection rate even higher.

even better, since its now going to be on desktops, tablets and phones... AND the justification of writing shit that is hardware bound is next to nill in our web 4.0 world, you only need to write one chunk of shit to fuck everyone up at once

15% of malware out there? You've read into the story exactly what the zealots wanted you to. Windows 8 can't get infected by "15% of malware". It can run 15% of malware which targets the Windows 7 platform, and almost all of it requires user intervention in order to activate.

A more apt comparison would be seeing what percentage of malware can infect a non-tweaked automatic install of Ubuntu 12 (as the native ISO comes), that was specifically written to target flaws in Ubuntu 11.